First packet classification in an encrypted world

Sebastian Müller portrait

by Sebastian Müller
published on: 06.07.2021

With proliferating encryption, network management faces new challenges. One such challenge is the delivery of application awareness. With encryption, deep packet inspection (DPI), which is often used to identify underlying applications, must engage more advanced techniques to deliver this visibility.

R&S®PACE 2, as an OEM DPI software that is widely deployed across various traffic and network security functions, provides this visibility via application classification and metadata extraction. To do so, R&S®PACE 2 employs three major methods: pattern matching, behavioral analysis and statistical/heuristic analyses. Pattern matching involves matching network traffic with thousands of verified application and protocol signatures from the signature library of R&S®PACE 2, which is updated weekly. Behavioral analysis means analyzing the size, order and frequency of a flow’s packets coupled with information on the subscriber and host. Statistical/heuristic analysis, on the other hand, means identifying wider traffic attributes such as the entropy of a flow by calculating statistical measures such as the mean and median across behavioral indicators.

Using the above techniques, R&S®PACE 2 filters each IP flow to determine the underlying application and wider attributes such as speeds, latency and jitter.

First packet classification

First Packet Classification (FPC) is a method for reliably classifying traffic using the first packet instead of waiting for 3 to 5 packets before the underlying application is identified. FPC is important for network operators, SD-WAN vendors, SASE providers and anyone relying on real-time traffic classification, as it helps them implement network management and security rules from the first packet, allowing for a consistent treatment of packets across the entire application.

FPC by DPI utilizes caching, a method in which data from prior classifications is made readily available in the application cache and is matched against the first packet of a flow to identify the underlying application instantaneously. There are two types of caching – DNS caching and service caching. DNS caching reads the hostname from the domain name system (DNS) query and stores the provided IP addresses from the corresponding DNS response. Service caching, on the other hand, identifies a packet’s underlying application or service through the DPI engine and then caches its IP address with the corresponding application or service. Any packet with the same IP address is immediately recognized and no longer requires processing through additional DPI algorithms.

Newer encryption technologies

Newer encryption technologies, such as TLS 1.3, DNS over HTTPs (DOH) and DNS over TLS, unfortunately limit DNS caching as the relationship between IP addresses and their respective domain names and applications becomes impossible to establish, resulting in limited cache information. DPI, which is able to identify traffic encrypted with more commonly used encryption technologies, for example, HTTPs, TLS 1.2 and SSL, will no longer be able to do so for future encrypted traffic. This will inevitably result in FPC becoming ineffective, or not applicable altogether, especially when two or more of these new encryption technologies are used.

Service caching also has its weaknesses. The use of proxy servers and content delivery networks (CDNs) may result in false positives as the IP addresses of certain applications are concealed and therefore cannot be reliably matched to the correct applications or services. The same applies to obfuscated traffic, where traffic payloads are disguised as something entirely different to enable the packets to be sent via protocols that are otherwise not supported by the network or to escape network security policies, as in the case of domain fronting, data tunneling and randomization. In this case, the classification information provided by DPI can end up delivering misleading information about the underlying traffic.

ML and DL to the rescue

The challenges introduced with new encryption technologies, the use of proxies and CDNs as well as the prevalence of traffic obfuscation across modern networks call for techniques that can future-proof DPI given the limitations inherent in caching-based FPC. Responding to this, R&S®PACE 2 is enhancing its encrypted traffic intelligence (ETI), which combines DPI’s traditional methods with deep learning (DL) and machine learning (ML). DL and ML work hand in hand to identify deeper correlations between various traffic attributes ranging from packet and flow patterns to bandwidth and speeds or the frequency and entropy of a flow. These are used to deduce the underlying application accurately even when packets are encrypted or obfuscated.

This helps in identifying subsequent flows on the network. With DL and ML, the identification information is dynamically updated to reflect changes in IP addresses, flow and packet attributes as well as updates in service level attributes.

Amping up ML/DL capabilities

In order to achieve this and to ensure that R&S®PACE 2 continues to deliver reliable, accurate, real-time classification of traffic across newer and emerging encryption technologies, Rohde and Schwarz has established research collaborations with major universities on the classification of traffic that has been encrypted via TLS 1.3, DoH and ESNI or obfuscated via domain fronting. Such research also extends into advanced techniques to circumvent obfuscation, for example through the use of self-learning network management. In addition to these, researchers at Rohde and Schwarz are deploying advanced statistical and classical ML, high-dimensional data analysis and DL to continuously detect and identify the latest encryption and obfuscation technologies as well as other traffic masking methods.


The advancements in ML/DL are expected to set R&S®PACE 2 ahead of its competitors with deep intelligence on encrypted traffic acquired by continuously analyzing traffic over long periods of time and across terabytes of modern network traffic data. These advancements will build on top of traditional DPI methods as well as caching techniques to ensure that DPI as well as FPA, where relevant, still work reliably and accurately. With R&S®PACE 2, network operators and providers, security solution providers and even analytics vendors can focus on network performance and security without being hindered by the need to continuously upgrade their DPI solutions to cater for new encryption technologies as well as new and emerging traffic masking techniques that render traditional DPI methods ineffective. With the right solution, application awareness can be delivered seamlessly for any type of traffic in any part of the network at all times, now and in the future.

Download our R&S®PACE 2 first packet classification datasheet to find out more.

Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

Email: Seb.Mueller@rohde-schwarz.com

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque